Heartbleed heartache: This was not a drill, people, and you failed

Heartbleed heartache: This was not a drill, people, and you failed

Summary: A serious security flaw affected internet users everywhere, but the Australian government did nothing to help SME and home users understand what was happening.


After a week of Heartbleed, the SANS Institute's Internet Storm Centre (ISC) has dropped back to INFOCON Green. No longer is it a yellow alert, requiring "immediate specific action to contain the impact". Things are back to normal. So let the blaming and finger-pointing begin!

I'll start, shall I?

As a whole, the internet industry was absolutely shocking at providing end users with coherent or even accurate information about what was going on, let alone information they could understand and act upon — and, at least here in Australia, the government did nothing to help. Not good enough.

Think I'm being harsh?

Remember that Heartbleed was not a drill. Initially, we thought that up to two-thirds of the world's encrypted web traffic might have been at risk. It turned out to be somewhat less than that. Nevertheless, the affected services included Facebook, Instagram, Twitter, Vine, Pinterest, Google, YouTube, Gmail, Foursquare, Flickr, Tumblr, Yahoo! Mail, GoDaddy, Amazon Web Services, Dropbox, OKCupid, SoundCloud... and they're just the ones listed on one infographic from LWG Consulting.

(Image: LWG Consulting)

Add in Akamai and Cloudflare, and all the others you've heard about, and you're talking about a hefty slab of the world's websites, large and small.

Here in Australia, Fairfax is now reporting that financial websites run by GE Money were vulnerable to Heartbleed, including the Myer Visa Card and Myer Card portals, as well as Coles Mastercard.

Now consider the start of a conversation I had on Australian Broadcasting Corporation (ABC) radio stations across Victoria and Western Australia on Monday night — a full week since news of Heartbleed started to seep out from under the infosec community's moth-eaten cone of silence.

"Is is safe yet to go back onto the internet? We've probably heard, to varying degrees, about this Heartbleed vulnerability — not a virus — it's an internet vulnerability. But we've been told to steer clear of the internet — well, I've been told to steer clear of the internet for a while — and change all my passwords," said presenter Prue Bentley in her introduction.

As a radio presenter, Bentley is someone who actively seeks out information. Moreover, my understanding is that she's a bit of a geek. The previous items on her program had been a chat with a former chief of the Royal Australian Navy's submarine fleet about the state of the art of underwater drones, and a lively chat about movies in which she displayed considerable knowledge of Gattaca, a science fiction classic.

Yet even though Heartbleed had been in the news for a week, Bentley still didn't know what she was meant to do. Like almost every user, she must have been affected in multiple ways — but, she told me, she'd received only one notice, from one small provider.

That's not good enough.

So why did it happen that way?

I contend that while infrastructure providers and some major players were sorting out the mess — some, like Akamai, with commendable transparency, even when things were going badly, others not so much — the vast majority of consumer-oriented operations and small players were more interested in saving face than in saving users' private data.

The infosec specialists who present the Liquidmatrix Security Digest podcast discussed Heartbleed — more ranty that usual, and well worth listening to — reminded us, amongst other things, that the customers of smaller IT shops and software as a service (SaaS) providers are businesses that are even smaller still, and those SME and home users typically have no idea what any of this security stuff means.

Telling those customers to change their passwords because you've patched some mysterious security hole breaks the bond of trust. "Why are you having to fix problems? The other guys don't keep telling me about problems, so you must be incompetent," they think. That's not exactly an incentive to be open, honest and transparent. It's tempting to keep shtum, and hope nobody notices.

Now in similar situations outside the IT world, it's the government's job to make sure people at risk get reliable information. As I wrote at Crikey, if the front door locks on two-thirds of Australian businesses could be opened with a pocket laser, without being detected, or if two-thirds of all cars could be stolen at some time in the future unless their owners took specific action this week, we'd be seeing a recall program, advertising in mainstream media, perhaps a government-funded public awareness campaign, certainly front-page headlines and calls for assistance and for heads on spikes.

But for all the talk in recent years about the imminent cybergeddon, or even a devastating refrigergeddon, the reality seems to be that we've got nothing approaching even a bare-bones civil cyber defence system.

When I called CERT Australia early in the Heartbleed scare, they referred me to their masters at the Attorney-General's Department. Fairfax journalist Ben Grubb had already done that, and the response he received was... minimalistic.

"As the national computer emergency response team, CERT Australia provides major businesses with information about unique cyber threats and support in responding to cyber security incidents upon request, including issues such as the Heartbleed vulnerability in OpenSSL," an Attorney-General's Department spokesman said in a statement.

"There is a range of open source information available about the Heartbleed vulnerability and the actions to take to address it. Useful resources are available at http://heartbleed.com/."

CERT Australia is only a small coordinating unit, and they were undoubtedly busy. Nevertheless, is it really good enough for the nation's official cyber coordinator to tell people, in effect, "You're on your own, go look on the internet"?

I don't blame the hard-working staff of CERT Australia here. I point my finger directly at the Attorney-General's office. No words can issue from CERT Australia without their say-so.

But Australia's favourite Attorney-General, Senator George Brandis QC, for all his talk of law and order, seems to have had precisely nothing to say about a real-world security risk that affected nearly every Australian online. Sigh.

We'd have been better off with a cyber-update of Bert the Turtle.

Topics: Security, Government AU, Australia


Stilgherrian is a freelance journalist, commentator and podcaster interested in big-picture internet issues, especially security, cybercrime and hoovering up bulldust.

He studied computing science and linguistics before a wide-ranging media career and a stint at running an IT business. He can write iptables firewall rules, set a rabbit trap, clear a jam in an IBM model 026 card punch and mix a mean whiskey sour.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Mate, if the IT world waited for the Oz Govmint...

    we'd be sending IP packets by pidgeons and those pidgeons would be forced to take it easy by the unions.
    • Mate, if the IT world waited for the Oz Govmint...

      the pigeons would also have to pay their dues and get an EBA
      • union bashing

        How do you think working class Ozzies got decent wages,generocity of bosses and governments,i dont think so.The unions represent us,they dont do things without their members say so.Slagging off at unions is having a go at 20% of the Aust.workforce.Union members do the hard yards to obtain decent conditions and wages and the rest of the workforce get a free ride.
    • IP over Avian Carriers

      IP over Avian Carriers was initially described in RFC 1149.


      Old, but still good,
  • It's the government's job?

    "Think I'm being harsh?"

    It's the government's job to "do something" about something that hit most businesses by surprise, and is actively being fixed ASAP by most businesses?

    I'm not sure there's a whole lot the government can and should do. We don't expect anything from the government of the USA or other nations, why expect something from the government of Australia? Is the Australian government special somehow? Is the Australian government supposed to be your personal nanny or something?

    Meh, get off your high horse. Most internet services aren't even based in Australia. This is a global, international thing, not something specific to your landmass. I don't even know if there's a lot your government could do even if it wanted to.

    "Telling those customers to change their passwords because you've patched some mysterious security hole breaks the bond of trust."

    So businesses have been telling people all the time to change their passwords because of security holes, and now when Heartbreak pops out and affects everybody, all of the sudden it "breaks trust?" What kind of nut are you?

    "Nevertheless, is it really good enough for the nation's official cyber coordinator to tell people, in effect, 'You're on your own, go look on the internet'?"

    That's how it works in a free internet. That's the way it SHOULD work too. The government isn't your nanny or personal advisor. You shouldn't have to go to the government for advice on the internet; that's simply not its job.
    • No, it's not the government's job

      The information is out there and computer professionals should know what to do and what to advise their lay associates.

      But there's nothing wrong with government techies (military and civil service alike) sharing such wisdom as they have on a for what it's worth basis. Arguably, it's part of what we taxpayers are paying for.
      John L. Ries
    • Ha Ha Ha ha !! You must be American for sure!!!

      "We don't expect anything from the government of the USA or other nations, why expect something from the government of Australia? Is the Australian government special somehow? Is the Australian government supposed to be your personal nanny or something?"

      So funny! Only the Americans are worried that their government might become their "nanny". Ha! So funny.

      Why are the Americans always so terrified someone might think their government is their nanny? Its like they are terrified someone is going to refer to them being "a sissy boy with a nanny" or something.

      Get real.

      Theres not a government in the ENTIRE world that acts anything like a nanny.

      There are tons of governments that resemble jailers, absentee fathers, drunken uncles, rich boss, and at least one that acts like your beer drinking cousin that plays too many RTS games for a hobby. At least one country in the world should be so lucky as to have a government that acts like a nanny. But there isn't. Too many schizos and special interests.

      Is it the governments job to keep the people who elected it informed of serious matters that affect wide swaths of the population?

      If you live in a western democracy I would hope so. Its just common sense. Your government dosnt have to be a sissy boys nanny either to do that. Maybe your government is more like a "big boys fireman" who warns you the house is on fire and you should get the F@#K out, would that make you little boys who don't want to look like sissy boys feel better???

      Get real.

      What do you think a government is for???

      Collect taxes and wage war and in the meantime look for photo opps? Seriously man.

      Government is not your nanny??? Where does this silly nonsense come from?
      • Yup.

        "What do you think a government is for???

        Collect taxes and wage war and in the meantime look for photo opps? Seriously man."

        Basically. Got a problem with wanting a minimal government? What else should it be doing? Dictating everything? If I want to be dictated to, I'll move to a nation with a dictatorship.
      • Wow... really?!

        I find your (Cayble) attack on Americans (and our government) reprehensible. Not every US citizen expects (nor wants) a nanny government. If you don't like CobraA1's comment to the article, fine. Address CorbraA1's comment directly, but don't use it as an attack on America in general. Have a little common decency, please. Thank you.
      • Er, the term is British

        "Nanny state is a term of British origin that conveys a view that a government or its policies are overprotective or interfering unduly with personal choice. The term 'nanny state' likens government to the role that a nanny has in child rearing. An early usage of the term comes from Conservative British MP Iain Macleod who referred to 'what I like to call the nanny state' in his column 'Quoodle' in the December 3, 1965, edition of The Spectator."
    • Our Present Government's Reply...

      ..."What's this internets thing?"
  • Not a problem

    I heard about Heatbleed as soon as it was announced, through the usual channels. I don't recall which one - MSN, Yahoo!, ZDNet, CrackBerry, LinkedIn - not sure anymore. The Internet industry (whatever that is) provided me with up-to-date and relevant information.

    I notified all my colleagues and family members, and advised non-technical people on how to deal with it. We tested sites before using them. We changed passwords when and where needed. We cleared browser caches and cookies. Our corporate security people did their jobs. No problems.

    No government action is needed or required or desired.

    I disagree completely with this statement: " the internet industry was absolutely shocking at providing end users with coherent or even accurate information about what was going on, let alone information they could understand and act upon "
    • The "internet industry" was derelict in their duties

      The author is exactly right. It's shocking how little information was given to consumers about what they should do and if sites were affected and what they are doing. With a problem of this magnitude, a provider with any sense of responsibility or ethics would have a posting on their home page and then maybe more detailed information in a blog entry or something. I've seen very little of that. They are, I think and as the author does, too, either worried about their image or derelict in their duties. So now we know how seriously the industry takes this issue and where their priorities lie.

      The role of government here would be to require each site to have an easy-to-find page with current security threats, what they are doing to mitigate them, and what the user can/should do to mitigate them. It's obvious that without such a law or regulation that the industry will mostly keep mum about it. Sure, you could search it out and get info in various places, but there are tons of providers who are simply not being transparent about their own risk and how they are dealing with it. It's really quite disgusting. And the added benefit of them being more transparent would be that you'd know if they were really responding correctly. When no information is given, then you can't be sure if a particular provider's actions are effective.

      You sound like an experienced user, bb_apptix, but there are tons of people that need a lot more hand-holding than you or me. So don't act like you are representative of the average Internet user. And don't give me any "well, if they don't know how to safely use a computer, then they shouldn't be on the Internet" argument. Without those millions of people that use the Internet while still not being a full-on geek, the Internet would not be the amazing success it's been. Keeping them safe by expecting a better response from providers helps ensure the Internet will continue to grow and prosper. I'm not saying they don't have responsibilities. I'm just saying that providers have a great deal of responsibility and they have really fallen down on the job here.
    • Well sir, you dont have a clue!!!!!!!!!!

      "I disagree completely with this statement: "the internet industry was absolutely shocking at providing end users with coherent or even accurate information about what was going on, let alone information they could understand and act upon"

      You refer to looking up information on the internet on internet news and information sources, that's nice but its a long way from what "the internet industry" is for most people.

      I, probably very much like you am tuned in to a great deal of internet news and information sources. Most of the world, unlike you or me dosnt spend a lot of their time reading news and information stories on the internet, they are too busy watching their favorite TV show or football game when they are not at work. But the internet industry dosnt begin or end with news and information sources. AT ALL.

      In this particular case there are some very very striking players in the internet industry that play the LARGEST part in the whole Heartbleed matter. Its the service providers affected by Heartbleed. And it strikes me that what Mr. Stilgherrian refers to is the fact that the part of the industry affected the most seemed to be providing rather sparse information about exactly what the problem was and what exactly the threat level was and exactly how worried and why we should be that worried.

      One who indeed had the time to seek out some news on the internet on it could find some yes, but what of the specific problems affecting particular services letting us know that?

      When you look on the internet and find out that there is a part manufactured in Korea for automobiles and its a special switch that regulates gas flow when the brakes are applied in a car, and that this piece of automobile hardware is found in numerous vehicles and is found to be highly susceptible to failure, you don't just expect to find this out from Automobile reviewers and car magazines. You expect the automobile industry itself to speak up, and for each affected manufacturer to speak up and let you know just exactly the state of affairs is for you car or cars that you own or travel in.

      And in real life that's what happens in the car industry. But in the IT world, not so much. For many businesses affected by such IT catastrophes, its always their hope to slide through before their customers get impacted and then patch up quick and make some minor mention after (at best) that they averted any crisis due to their diligent work.

      There is a huge difference than what most people who read and post at ZDNet are like and what the vast majority of the rest of the world is like. And most of the world EXPECTS their service providers who provide services to them by way of internet to be very vocal about whatever security issues might arise.

      And I don't think its fair to say the vast majority in the world are in the wrong just because you and I have different interests then most of the world.
  • how is it "government's" job?

    "and, at least here in Australia, the government did nothing to help"

    it's not provided by the government, it's not run by the government, but you want to dump some of the responsibility on the government. Really....??
    • All western governments make enough money...

      ..to at least put out some official statements, news advisories as to the state of affairs when a hazardous situation arises that could cause some significant havoc.

      By the way, what country is it you live in that the government of your country has NO office that oversees various internet related concerns? Are you from Burma or something?

      I mean seriously man, if you live anywhere in the modern western world your government, which you do indeed pay for, has a department which has a very specific interest and concern over all things internet. Your paying for this. One way or another your government has people your tax dollars paying for to monitor and report to them (your government) on exactly these kinds of things. You think maybe such things dosnt raise any concerns about potential cyber attacks against various countries?

      That's one reason why governments have such offices and departments relating to matters of the internet.

      So ya, I think you should get some information and advisory from the government. But then again, maybe your one of "those kind" who likes the government to take your tax money but never do much for it and to keep what info they have out of the hands of the people who pay for it.

      Are you one of those?
      • Govt.offices

        Too busy spending taxpayer dollars spying on our near neighbors,for the benefit of the corprates.
    • OZ Govmint has already overstepped the line

      they tried to ban internet gambling for Aussies.
      they even got Apple to bar Aussies from certain apps from the appstore, like the Pokerstars app.
      And they are now throwing up the idea of forcing ISPs to filter and block Torrent traffic!
      No thanks!
      With heartbbleed, I'd rather the government just sit on their arse and do nothing and leave it up to IT industry to sort it out.
      The Australian Government has shown a lot of incompetence when it comes to IT issues and this issue should be kept to a quiet roar instead of widespread panic.
    • Govt.responsibility

      When there is a natural disaster,eg bush fire,flood etc effecting a huge amount of the populace you can't keep the pollies out of the media.This could be a finacial disaster for many Ozzies so why shouldnt they take some responsibility and give out a few warnings.Code of secrecy and silence is the hallmark of the current govt.
  • Heartbleed North

    No better in Canada, where the tax department Revenue Canada waited 4 days to act, losing Social Insurance numbers to hackers along the way.
    Kootenay Coyote